Nova Documentation
Legal

Data Processing Agreement (Template)

Data Processing Agreement (Template) for Nova

Version: v2025-10 • Breach notice: 48h of becoming aware • TLS: 1.2+ (target 1.3) • Law/Forum (SCC): IE • Gov. Law: England & Wales

This Data Processing Agreement ("DPA") is intended for use with customers who request a standalone DPA. It mirrors Schedule 1 of the Terms of Service and includes a 48-hour breach notice, transfer mechanisms (EU SCCs + UK IDTA), and a reference to our public Sub-processors page.

Replace bracketed fields before sending: [Customer Legal Name], [Jurisdiction], [Effective Date], [Customer Contact Email].

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between [Customer Legal Name] ("Controller") and DWEET LTD ("Processor", "Dweet", "Nova") with effect from [Effective Date] (together, the "Agreement"). Capitalized terms not defined in this DPA have the meaning given in the Agreement.

1. Definitions

  • "Applicable Data Protection Law" means all laws and regulations relating to data protection, privacy, and the use of personal data applicable to the processing under this DPA, including the EU GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and national implementations thereof.
  • "EU GDPR" means Regulation (EU) 2016/679.
  • "UK GDPR" means the EU GDPR as incorporated into UK law by the Data Protection Act 2018, as amended.
  • "Personal Data", "Data Subject", "Controller", "Processor", "Processing" have the meanings given in Applicable Data Protection Law.
  • "Sub-processor" means any processor engaged by Processor to process Personal Data on behalf of Controller.

2. Roles and Scope

2.1 Controller is the Controller of Personal Data; Processor processes Personal Data on behalf of Controller to provide the Nova services as described in the Agreement.

2.2 Processor will process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law; in such a case, Processor will inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.3 Details of the processing (categories of data, data subjects, purpose, duration) are set out in Annex I (Processing Details).

2.4 Special categories: Processor does not intentionally collect special categories of Personal Data. Resumes supplied via Controller’s ATS may nonetheless contain such information. Processor processes that content only to provide the Service (e.g., parsing, scoring, search) and does not purposefully create profiles about protected characteristics. Controller is responsible for ensuring any required lawful basis under Article 9 GDPR where such data is present, including providing any required notices to candidates.

2.5 ATS-only integrations. Processor integrates only with Controller-designated ATS platforms and Nova's own user interface. Processor does not request or require connectivity to other Controller systems (e.g., HRIS, payroll, email, file storage). Personal Data processed by Processor originates from the Controller's ATS (and limited inputs provided directly by Users in Nova). This keeps the integration surface narrowly scoped.

3. Confidentiality and Personnel

3.1 Processor will ensure that persons authorised to process Personal Data are under appropriate confidentiality obligations.

3.2 Processor will ensure that access to Personal Data is limited to personnel who require such access for the performance of the Service under the Agreement.

4. Security Measures

4.1 Processor will implement and maintain appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, including the measures described in Annex II (Technical and Organisational Measures).

4.2 Processor will regularly test, assess, and evaluate the effectiveness of TOMs and make improvements as necessary.

5. Sub-processors

5.1 Controller authorises Processor to engage Sub-processors as listed in Annex III (Sub-processors) and on Processor's public Sub-processors page (kept current and accessible to Controller). Processor will provide at least 15 days' advance notice of any intended changes via that page or email notification to Controller.

5.2 Controller may object on reasonable grounds related to data protection. If the parties do not agree on a resolution within 30 days, Controller may terminate the affected services without penalty.

5.3 Processor will impose data protection terms on Sub-processors that provide at least the same level of protection as this DPA and remains liable for each Sub-processor’s performance.

5.4 Emergency addition: Where an immediate Sub-processor engagement is strictly necessary to address an urgent security, continuity, or compliance issue, Processor may add the Sub-processor and will notify Controller without undue delay, honoring the objection/termination rights above.

6. International Transfers

6.1 Personal Data is primarily hosted in the United Kingdom (AWS eu-west-2). Where processing by Processor or its Sub-processors involves a transfer outside the UK or EEA, such transfer will be governed by appropriate safeguards, including:

  • the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) — Module 2 (Controller→Processor) and Module 3 (Processor→Sub-processor), as applicable; and
  • the UK International Data Transfer Addendum (IDTA) to the EU SCCs, in each case as completed in Annex IV (Transfer Mechanisms).

6.2 AI inference providers. OpenAI API data is not used to train OpenAI's models; OpenAI may retain inputs/outputs for up to 30 days for abuse monitoring unless Zero Data Retention (ZDR) is enabled. Google Cloud Vertex AI is configured for Zero Data Retention and no training on customer data.

6.3 Processor will provide reasonable information to support Controller's transfer impact assessments (TIAs) upon request.

7. Assistance to Controller

7.1 Taking into account the nature of processing, Processor will assist Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to Data Subject requests under Applicable Data Protection Law.

7.2 Processor will assist Controller with data protection impact assessments and consultations with supervisory authorities where required, taking into account the nature of processing and the information available to Processor. Upon request, Processor will provide reasonable information to support Controller's TIAs for restricted transfers.

8. Personal Data Breach

8.1 Processor will notify Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Controller’s Personal Data. Such notification shall describe the nature of the breach, the categories and approximate number of Data Subjects and data records affected, likely consequences, and measures taken or proposed to address the breach.

8.2 Processor will promptly take steps to contain, investigate, and remediate the breach, keep Controller informed, and cooperate with Controller’s reasonable requests and regulatory obligations.

9. Records and Audit

9.1 Processor will maintain records of processing activities as required by Applicable Data Protection Law and make them available to Controller upon request.

9.2 At Controller’s expense, and no more than once in any 12-month period (unless required by a competent authority or following a material Personal Data Breach), Controller may audit Processor’s compliance with this DPA. Audits will be conducted during business hours with at least 10 business days’ prior written notice and in a manner that does not unduly disrupt Processor’s operations. The parties will agree audit scope in good faith within 10 business days of the notice and schedule fieldwork within 30 days thereafter. Processor may require audits to be performed by an independent third party under confidentiality.

10. Deletion

10.1 Upon termination or expiry of the Agreement, Processor will delete all Personal Data and delete existing copies within 56 days, unless applicable law requires storage. No bespoke data return service is provided. Controller has a 30-day export window following termination.

10.2 Backups and archives: Routine backups are overwritten within the configured retention period (RDS 35 days; OpenSearch automated snapshots 14 days by default). Where Snapshot Management to S3 is enabled, snapshots are deleted per the configured S3 lifecycle policy (target ≤35 days), unless longer retention is required by law.

11. Liability and Precedence

11.1 The total aggregate liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits a party’s liability where such limitation is not permitted by law.

11.2 In case of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict as it relates to the processing of Personal Data.

12. Governing Law and Jurisdiction

12.1 This DPA is governed by the laws of England and Wales without regard to conflict of laws principles. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, subject to mandatory Applicable Data Protection Law.

13. Contact

Processor’s Data Protection contact: andreas@dweet.com

Annex I – Processing Details

1. Data Subjects: job candidates, and employees or contractors of Controller who use Nova.

2. Categories of Personal Data:

  • Candidate data typically found in resumes/CVs and applications (employment history, education, skills, qualifications), contact details contained in resumes, application metadata.
  • Nova-generated assessment results and associated explanations.
  • Job data from the ATS (non-personal): job descriptions, requirements, application questions.
  • Account data for Controller's users (names, email addresses, roles).

3. Special Categories of Personal Data:

  • Not intentionally collected; however, resumes supplied by Controller's ATS may contain special category data in free text. Processor processes such content only to provide the Service and does not purposefully create profiles based on protected characteristics. Controller remains responsible for Article 9 lawful basis where applicable.

4. Purpose of Processing:

  • Candidate evaluation and ranking; generation of interview questions; talent rediscovery; service operation and support; security and compliance logging.

5. Duration of Processing:

  • For the term of the Agreement and for 56 days thereafter (post-termination deletion window), except where longer retention is required by law.

6. Nature of Processing:

  • Collection, storage, organisation, analysis by AI inference, retrieval, transmission to authorised recipients, and deletion.

7. Data Sources:

  • Personal Data is sourced from the Controller's ATS via API/webhooks and from inputs provided by Users in Nova. Optional enrichments (e.g., OpenCage geocoding, Proxycurl LinkedIn data, PDF conversion via Gotenberg/Modal) are used only where enabled by Controller. Processor does not integrate with other Controller systems.

Annex II – Technical and Organisational Measures (TOMs)

Security controls include, without limitation:

  • Encryption in transit (TLS 1.2 or higher, targeting TLS 1.3). At rest: RDS with AWS KMS-managed keys; OpenSearch with a dedicated KMS key; S3 resume buckets with SSE-S3 (AES-256 with bucket keys); key rotation per policy.
  • Access controls: SSO/MFA for administrative access; role-based access; least-privilege and time-bound elevation; application-layer field-level authorization for PII; audit logging of access to candidate records and sensitive operations.
  • Secrets management: long‑lived credentials (e.g., OAuth refresh tokens, API keys) are stored in AWS Secrets Manager with AWS KMS at rest and environment scoping. Access tokens are short‑lived and cached ephemerally (e.g., Redis) with TTL; only secret ARNs are persisted in Postgres.
  • Application security: code review, CI checks, dependency scanning, change control for high-risk changes, rollback procedures.
  • Network security: cloud firewalls/security groups; RDS ingress limited to the Nova ECS task security group and Trigger.dev IP range; OpenSearch resource policy limited to the Nova AWS account and Trigger.dev IP range; client authentication to OpenSearch via fine-grained access control (FGAC) credentials; short-lived /32 rules for temporary human access via a scripted workflow that records the change and removes it after use; WAF (where applicable); monitoring and alerting (Datadog, Sentry); log retention policies.
  • AWS S3 access: file operations are gated behind presigned URLs with default ~30-minute expirations; job-level authorization is enforced; object keys are sanitized before upload; the S3 public access block is enforced (no public ACLs/policies); CORS is restricted to https://nova.dweet.com for PUT/GET/HEAD flows.
  • Data management: data minimisation, classification, retention and deletion procedures; exports to support DSARs.
  • Operational resilience: backups and point-in-time recovery for databases; S3 versioning; daily automated snapshots for OpenSearch; off-peak maintenance windows; disaster recovery planning.
  • Workforce measures: confidentiality agreements; security and privacy training at onboarding and annually.
  • Incident response: documented runbooks; 48-hour customer notification commitment upon becoming aware of a Personal Data Breach; investigation and remediation steps.

Annex III – Sub-processors

Current Sub-processors (as applicable to the Service and Controller's deployment). The authoritative, always-current list is maintained on our Sub-processors page.

  • Amazon Web Services (AWS) — hosting (UK eu-west-2)
  • Auth0 (Okta) — identity and access (EU)
  • Trigger.dev (API Hero Ltd) — background job orchestration (UK)
  • Flightcontrol — deployment orchestration (no customer PII by design; SOC 2)
  • Resend — transactional email (SCCs)
  • Datadog — monitoring/logs (EU)
  • Sentry — error tracking (EU)
  • PostHog — product analytics (UI only; no ATS/candidate data) (EU)
  • Stripe — billing only (EU)
  • OpenAI — AI inference (API data not used to train; up to 30-day retention for abuse monitoring unless ZDR is enabled; SCCs)
  • Google Cloud Vertex AI (Gemini models) — AI inference (Zero Data Retention configured; SCCs)
  • Exa Labs Inc. — web search functionality for company research (SCCs)
  • OpenCage Data — geocoding location strings (if enabled; SCCs/adequacy as applicable)
  • Proxycurl — LinkedIn enrichment (if enabled; SCCs/adequacy as applicable)
  • Modal.com — serverless compute for PDF→Markdown (if enabled; Nova does not configure persistent volumes for this workflow)
  • GitHub (Microsoft) — code hosting/tooling (US; SCCs) (metadata only; no customer PII stored by design)

Controllers may request a deployment-specific sub-processor confirmation at any time.

Annex IV – Transfer Mechanisms

1. EU Standard Contractual Clauses (SCCs) 2021/914 are incorporated by reference:

  • Module 2 (Controller→Processor) for Controller → Processor transfers.
  • Module 3 (Processor→Sub-processor) for Processor → Sub-processor transfers.

Clause 17 (Governing law): Ireland. Clause 18 (Forum): Courts of Ireland. The parties designate the competent supervisory authority per Controller's established location in the EEA (default: Irish DPC if none designated).

2. UK Addendum to the EU SCCs (IDTA) is incorporated by reference for restricted transfers under UK GDPR. The parties complete the Addendum with information in Annex I–III; the Addendum takes precedence for UK transfers.

Signatures

For Controller: [Customer Legal Name]

Name: ________________________________

Title: _________________________________

Date: __________________________________

For Processor: DWEET LTD

Name: ________________________________

Title: _________________________________

Date: __________________________________

On this page

Data Processing Agreement1. Definitions2. Roles and Scope3. Confidentiality and Personnel4. Security Measures5. Sub-processors6. International Transfers7. Assistance to Controller8. Personal Data Breach9. Records and Audit10. Deletion11. Liability and Precedence12. Governing Law and Jurisdiction13. ContactAnnex I – Processing DetailsAnnex II – Technical and Organisational Measures (TOMs)Annex III – Sub-processorsAnnex IV – Transfer MechanismsSignatures